ShapeShift, a cryptocurreny exchange platform, announced on Reddit the findings of its investigation after $230,000 worth of bitcoin was stolen in March 2016.

On March 14, 315 bitcoins were stolen from ShapeShift’s hot wallet by one of its own employees. The authorities were called and a civil suit was opened. The site continued to operate and ShapeShift expects to recover the stolen funds.

On April 7, however, during a migration of its site, ShapeShift noticed three more wallets had been hacked: bitcoin, ethereum, and litecoin (roughly 97 BTC, 3600 ETH, and 1900 LTC).

We were initially unable to determine how it had happened. We took the site offline, and decided to assume the infrastructure itself and all keys were potentially compromised. We cycled all keys and spun up brand new infrastructure on an entirely new host, once again, 24 hours later.

During that rebuild, contact was established with the hacker, who indicated that the rogue employee from the month prior had given the hacker the information needed to carry out the attack.

Ex-employee danger

Through some investigations and chats with the criminal hacker, it had become clear that there was legitimacy in their claim that an ex-employee sold the data required to access the affected wallets.

ShapeShift’s website remains offline but is expected to be back later this week. Erik Voorhees, CEO of ShapeShift, has said that some of the funds were recovered and no customer funds were lost or at risk.

Transparency is always good

Comments on the Reddit post mostly consist of praise for the ShapeShift team for their transparency on the issue, and have wished them luck for the future. I’ve always been an advocate for communicating with customers during a data breach, especially when it’s customer data at risk.